Looking at the interface around proxmox and how much you can leverage under the hood, since you know its Debian+KVM+LXC with a face and some makeup, I decided to go and fiddle with it to create in essence a jail on this super beefy VFIO box I have. I am going to try and stuff every workstation on it into its own VM, my main systems will have GPUs passed through to it.

What I have in my head right now is the host will have Proxmox. The host will have a NVME disk assigned to it and use ZFS. It is a Ryzen 9 3950x with 64GB of ram 3 NVME disks in it, 2 network interface cards (a 2.5gbps and a 1gbps card) a couple add-on USB controllers, build on an Auorus Master wireless board of some type I forget exactly but it was suited for this task and has isolated IOMMU groups.

Inside the host there will be 2 VMs,

• one will be a linux VM with an Intel ARC GPU and USB controller passed through to it.
• The other VM for this test will be a Windows 11 VM with a Nvidia RTX 3060, USB controller, and 1 NVME disks passed through to it.

There may be other VMs down the line but I want to make the test as simple as I can. There is a bunch of potential here especially for some basic low hanging fruit isolation, yes I know on x86 virtualization isn’t really isolation blah blah blah, and a bit more ability to use this giant beefy box and reconfigure its ability to do what I need on the fly. I will keep some notes and post a lot more about it as I go.

Discuss...

I remember when I was younger they tried to have my mom get me at least get checked out but she refused because I was “too smart”. In retrospect the struggling that caused was a source of a lot of my anger and over compensation issues. After getting some proper help instead of 100% struggle bus all the time started making me resent my mom over it.

Don’t make people struggle, they may not have words for what is going on. Help mentor and guide people into compensating for their weaknesses, maybe even help them give it a name. Getting diagnosed sooner might not have changed much but it would have made it easier for me to understand and probably would have helped me develop coping strategies sooner instead of being stubborn. The coping strategies are better than anything else long term, and learning them as soon as possible could be life changing.

I plan on helping my son figure out what I figured out the hard way sooner than I did, if he is willing. But I am still mad at my own situation to some degree because it didn’t have to be this way.

Discuss...

In the end my laptop and mobile machine really is just a dumb terminal to write, browse the web, chat, and connect to my much more powerful desktop, so in the end while its critical what it runs is less so as long as I can get VIM, VSCode, SSH, and a decent terminal editor on it.

Discuss...

So for the next few months I am going to move my laptop back to Windows 10 and see if that may just be the way it is for now. Linux has been okay but the numerous little nags and niggles around things like battery regressions and captive portals not working reliably have always annoyed me, and usually at a time they are least convenient. So I think from now until sometime early January I'm going to go whole hog back into Windows and Windows 10 and do it with an open mind. I will try to post about my trials and tribulations with it.

Discuss...

This post is just a stream of thoughts right now and will contain no wizbang how-tos just my ramblings of why system observability is important.

There is an adage that goes “who watches the watcher” and this is increasingly becoming a larger concern in modern systems as we rely more and more on the operating system to help us isolate everything all we have managed to do is move the trust boundary back instead of eliminate it, and now the OS is the watcher, but how do we know for sure that it is working for us. The answer is for a lot of systems we really don’t even open source systems like Linux are only really now starting to come around to this and due to that you are not seeing it used very much in production yet.

Honestly techs like Dtrace and eBPF are not only miracles for profiling systems they also help us look under hood. With tools like that you can write scripts and live instrumentation and tooling that tell you things like what has been writing to your password file, you can do it in real time and fire alerts off when something unexpected does so as an example. Another example of what you might do with this is plug it into SEIMs that do behavior analysis, so Eve is working on Mallory’s team and is not part of Alice’s skunkworks team, Eve managed to figure out Bob’s password and for some reason now why Bob is on vacation He is logged in from the office and accessing top secret files and changing configuration by hand on a production server outside of Bob and Alice’s configuration management and change control system. The SEIM would pick up the various signals here including the one gleaned from not trusting any part of the system and let your agents know that someone from Eve’s terminal is logged in as Bob and is messing with secrets.

In addition to this if we start watching and logging things like process launches, system file modifications, and other bits of the systems state you can glean things like where a pice of malware came from. What were the first machines, how were they infected, are there any anomalies we can use to spot similar stuff as it happens. As an example of this when Not-Petya came into existence Microsoft was able to use the telemetry it collects into its own black box, which collects a lot of similar info, to find the first machine infected with the malware and was able to develop a detection signature based off the first few things it did. With out this info they would have eventually figured its out by infecting machines and watching them from a controlled environment, but that cycle is getting longer and longer. The various groups that are making fortunes selling commodity malware have wised onto that game and have been trying to detect and lock out researchers.

But to sum this up, we need more observable systems. Stop trusting anything in your environment, or at the very least trust but verify. Collect the data, create alarms and monitoring based on it. If your monitoring misses something add to it. Above all else once you gain this data share as much as your risk profile allows. By working together we can protect ourselves and others, and make the Interconnected world a bit safer.

Discuss...

The main goal here will be for me to put my stream of technical discoveries and howtos

Discuss...